Again, according to a report from The Register, a high-profile institution has failed to purge their hard disks before disposing of them.

An audit at the Kennedy Space Center in Florida uncovered the release of 14 computers to the public that had failed to demonstrate their data was destroyed properly. The audit covered a 12-month period starting in June 2009. This means not only a confidentiality threat for the Space Shuttle Program, but also a loss of public reputation and a violation of federal regulations.

Such pieces of news make it obvious that there still is no sufficient public awareness that data leakage through improper disposal of data carriers is a real threat. And in fact, wiping sensitive data means an additional step in the media sanitation process, and there seems to be a fair amount of uncertainty about how to do it right.

Well – if the commercial value of the respective hardware is of no importance to you, a stroke with a sledge hammer is still the cheapest way to irrevocably destroy your data. However, many of you will probably consider regaining some money with the discarded hardware, e.g. on eBay, rather than simply applying brute force. Fair enough.

And in fact – it’s not that difficult to achieve this goal. Open source tools are actually sufficient. It’s important to keep in mind here that simple deletion of files is not sufficient, though: When you delete a file in Windows, only its entry in the table of contents of its directory is erased, but not the very file content itself. It may or may not get overwritten by new file contents in the future. Furthermore, copies of the file content may actually exist in many more locations of your hard disk:

This behaviour does not apply to Windows only, but actually to every modern PC operating system. Consequently it’s necessary to wipe the whole physical disk rather than only fragments of it.

Before we’re going into further details about this, let’s review the history of proper data disposal of data carriers over the last, say, 15 years.

In 1996, Peter Gutman held a presentation which claimed that simple overwriting of hard disks was not sufficient to withstand magnetic force microscopy, and suggested a process of multiple overwrites with varying data patterns, the so-called Gutman method.

Recent research, however, is showing that the principal threat of the Gutman paper no more applies to modern hard disks (NIST considers all ATA hard disks manufactured after 2001 to be modern hard disks).

Thus, it’s sufficient to overwrite the entire physical disk once, preferably with a random value. The tool ‘dd’, which is available on common (free) Linux boot CDs, is sufficient to do that:

dd if=/dev/urandom of=/dev/sda bs=1M

/dev/sda stands for the first physical disk, /dev/sdb for the second etc. For older PATA disks, replace /dev/sdx by /dev/hdx.

Calculate some hours for wiping a modern disk entirely.

But what about fully encrypted disks (I’m talking about full disk/volume encryption here). Isn’t elimination of the very Data Encryption Key (DEK) sufficient to wipe the disk?

It depends.

If you’re able to eliminate all instances of the DEK in a fashion that it cannot be reconstructed anymore (e.g. with the help of intermediate keys), you’ve won. Encrypted data (as long as encryption was performed right) has a totally random structure, and no conclusions on the plain text are possible.

With Sophos SafeGuard Enterprise device encryption, you’re off the hook: The command line tool BeInvVol.exe eliminates the two key stores (incl. the DEK) that exist on every volume encrypted by SafeGuard Enterprise. Simply call it from the command line of a Windows PE boot disk:

BeInvVol.exe xic:

In the twinkling of an eye, your C: volume is history, and subsequent reconstruction of data is impossible.

As you can see, proper disk encryption is no rocket science. It does not only protect your data assets against eavesdropping during the lifetime of the disk, but also helps you saving money when it comes to decommissioning it. Sounds like a good deal.

Eventually, this could be one more reason to complement your next Sophos Anti-Virus contract extension with a look into Sophos’s new disk encryption technology.

Post navigation

About the author

Michael A Schmidt is the primary security contact within Sophos Data Protection Group (DPG) software development. He has been with Utimaco (the predecessor of the DPG) development for many years, filling various development- and security-related positions. Currently, he is harassing the other developers in the group with the promotion of a security-oriented software development process. Even more, Michael is forming a group of conspirators within Sophos to run a world-wide, 'Distributed Promotion of Secure Coding' attack.

1) Modern Linux distributions will map PATA drives to sd{a,b,c,d} as well.
2) Overwriting doesn't cover bad-blocks, which may have been mapped out. They can't be read normally, but a lab might be able to extra data from them.
3) flash media can similarly remap stuck blocks, potentially leaving original data on inaccessible areas of the storage memory.

2 & 3 are only really solvable by encrypting the device so that the confidential data is not ever directly written to the device.

On the other hand, most people don't have to worry about that level of attacker.

Item 3) also applies to SSDs where the Wear Leveling mechanism introduces an additional layer of indirection between Windows-side sector addressing and internal sector use, with redundant sectors that are temporarily inaccessible. This means that a relevant number of sectors with potentially clear text data may be out of actual addressing, thus wiping. They are zeroed out before they become visible again, but if they are read under lab conditions when still invisible…

Again, encryption is able to help here, but the disk should not yet have a relevant history of clear text sectors before initial encryption.

Not even a new phenomena – Back in 1986 or so, I bought a 10MB (yes, Megabyte – it was big in those days!) hard disc for my BBC Micro network which turned out to have had lots of interesting stuff on it when I got hold of a sector-editor later on…

If you’re “dd”ing the entire hard drive, it stands to reason that you’re either selling the computer with no OS installed, or (re-)installing it once all the data has been destroyed. For all that effort and work (considering that the computer is worth re-selling in the first place), just destroy the old drive and put a new one in.

Hard drives are just not that expensive. If the computer is worth re-selling and re-using, you should be able to get enough for it to at least cover the price of the new hard drive and a little bit more for your trouble, and if the computer is so old that it is only a curiosity, then it will hold the door open without a hard drive.

In any case, when you “dd” (or otherwise over-write) a hard drive, you’re adding a lot of wear and tear to an already-old drive, and the buyer will have to replace it all that much sooner. I’d rather buy a computer without a hard drive and put one in, rather than buy one and have the drive go out a few months, weeks, or even days after I start using it.